SCENARIO
I've a site in IIS with two applications.
The principal ("A") is a REST service made with Web API 2 in C#, that contains inside an Areas folder with an autogenerated Help Page ("B").
"A" uses a header authorization, not with forms authentications. At this moment "B" doesn't have any security.
The second application is a C# MVC site ("C") with Authentication Forms and a login. It has a link to the documentation ("B").
GOAL
The main idea is login into "C", click on the link provided and get access into "B". The thing here is this one: If you try to enter directly on the URL of "B" without login into "C", you get a redirect to "C"
ACTUAL SITUATION
So what I did, first of all, is in "B", file HelpController.cs:
public ActionResult Index()
{
if (System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
*** do things
At first, this works for localhost because is the same site in my PC. So I deployed at DEV but of course, it didn't work.
So I was work with these links:
Forms Authentication Across Applications
How To: Configure MachineKey in ASP.NET 2.0
machineKey Element (ASP.NET Settings Schema)
MachineKeySection.CompatibilityMode Property
After a lot of work and crypto errors, it could only work with a 32 len key. Other configurations didn't work. The code to generate this key was:
.NET Fiddler: Generate Encrypted MachineKey
int len = 64;
byte[] buff = new byte[len/2];
RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
rng.GetBytes(buff);
StringBuilder sb = new StringBuilder(len);
for (int i=0; i<buff.Length; i++)
sb.Append(string.Format("{0:X2}", buff[i]));
Console.WriteLine(sb);
So I put this configuration on "C" and it works!
<authentication mode="Forms">
<forms loginUrl="~/Account/Logon" cookieless="UseCookies" slidingExpiration="true" timeout="480"
name="ASPXFORMSAUTH"
protection="All"
path="/"
/>
</authentication>
<machineKey
validationKey="5FEA041C5EE0836460BC2C3D8636F2610A357D9B7D606591112089CDEBDA871D"
decryptionKey="C8E79DC95283007C6E3D6E6698130501680CE032C28DDE4DDB678BAB683C2AFA"
/>
but then, in the "C" web.config located at Areas\HelpPage\Views this code:
<authentication mode="Forms">
<forms cookieless="UseCookies" slidingExpiration="true" timeout="480"
name="ASPXFORMSAUTH"
protection="All"
path="/"
/>
<machineKey
validationKey="5FEA041C5EE0836460BC2C3D8636F2610A357D9B7D606591112089CDEBDA871D"
decryptionKey="C8E79DC95283007C6E3D6E6698130501680CE032C28DDE4DDB678BAB683C2AFA"
/>
but didn't work. I mean, the "A" and "B" sites works, but System.Web.HttpContext.Current.User.Identity.IsAuthenticated is always false
I think I'm missing or mixing something. I'm lost at this point. When I put the configuration in the "A" web config, everything explodes with a 500 because I don't have authentication form in the REST service.
Any tip, comment, answer or question will be preciated, meanwhile I still fight with this. Thanks in advance!
UPDATE 1
Debugging the code, I get these values:
FormsAuthentication.CookiesSupported == true
but
Request.Cookies[FormsAuthentication.FormsCookieName] == null
The configuration must be done on the web config of the web api, not the config of the help area.